Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats missing on 9.2 Indexes page

sbur2467
Engager
‎09-03-2024 08:31 AM

My company had a Splunk 8.0 server that hadn't been upgraded in years.  There was a lot of abandoned testing on it over the years so cleanup and multiple upgrades to get to 9.2.1 was going to be a big undertaking.  I decided to stand up a new server with 9.2.1 and migrate over the data.  We went live on it a few weeks ago.  We've had no issues with ingesting data or searches or alerts.  However the Indexes page under Settings shows 0 on all indexes for Current Size and Event Count.  Earliest Event and Latest Event are all blank.  This is happening on all the indexes, both internal and non-internal. 

We noticed this before go live and talked to support.  They said it was because of the trial license we were using and would go away when we put our real license on it during go live. We did the license switch during go live but we're still seeing 0 for everything.  We can search on these indexes so there is data in them.  I don't see any errors in the logs when we go to the indexes page.

sbur2467_0-1725376316392.png


sbur2467_1-1725376413615.png

If I go to Indexes and Volumes: Instances in the Monitoring console under snapshots it shows my bucket count and space used on the file system but index usage is 0 for everything.  Under historical it does show the index sizes.

sbur2467_2-1725377384282.png

sbur2467_3-1725377425727.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbur2467
Engager
‎09-12-2024 07:50 PM

I finally figured out the issue.  We have Splunk Observability Cloud.  I had setup Log Observer to connect to the Enterprise instance.  Part of the setup is to add indexes_list_all to the authorize.conf file and make sure it's not checked for the new role you create for LO.  I didn't realize without that entry in authorize.conf it was enabled for all roles.  Once I added the capability in the file it became disabled for all roles.  I added that to the admin role and now all the stats are displaying on the indexes page.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sbur2467
Engager
‎09-12-2024 07:50 PM

I finally figured out the issue.  We have Splunk Observability Cloud.  I had setup Log Observer to connect to the Enterprise instance.  Part of the setup is to add indexes_list_all to the authorize.conf file and make sure it's not checked for the new role you create for LO.  I didn't realize without that entry in authorize.conf it was enabled for all roles.  Once I added the capability in the file it became disabled for all roles.  I added that to the admin role and now all the stats are displaying on the indexes page.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...